Hi,

 I have a security requirement whereby we need to ensure that only authorized users can logon to Windows 8.1 devices. Looking at virtual smart cards, I can see that the virtual smart card is stored on the laptop (i.e.) device using its TPM module, but what strikes me about this is that using a virtual smart card to login to a laptop with a PIN is less secure than a password: if a thief steals a laptop, he's already got the machine and it's easier to look over someone's shoulder and catch a 4 digit pin than an 8 character alphanumeric password - am I missing something here?

Am I right in thinking that there's  a maximum of 10 virtual smart cards that can be attached to a PC at a time and therefore, only up to 10 users will be able to login a Windows 8.1 PC using virtual smart cards?

Can the virtual smart card pin be used in conjunction with a traditional AD username and password login?

What I'm really after is an out of the box Microsoft solution which could do the following:
- Allow a user to login to a Windows 8.1 laptop if the user does both 1 & 2:

1. Has a valid AD username and password
2. Inserts a hardware device, such as USB key and then enters their own PIN associated with their account and the USB key

I've got a situation where multiple users share devices and we want to ensure that valid users are logging in. My initial thoughts were to use Bitlocker USB start up keys and pins, but user A can start a laptop with their key and pin, then pass the device over to user B for login, so that's a no-no.

Thanks in advance

Well you have so many company doing USB/smart card. 

most of the time they are call USB token RSA as one and many other company offer this.

Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are smart cards and USB tokens, which require a smart card reader and a USB port respectively.

Hi Peter, 

Thank you for your question. 

Virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security, we could refer to the following link to learn more about virtual smart card: 

https://technet.microsoft.com/en-us/library/dn578507.aspx 

We could refer to the following link to deploy virtual smart card: 

https://technet.microsoft.com/en-us/library/dn579260.aspx 

If there are any questions regarding this issue, please be free to let me know. 

Best Regard, 

Jim

Hi Peter.

Your requirement is not yet clear to me. You write

"we need to ensure that only authorized users can logon to Windows 8.1 devices." which is what anyone requires and usually solves without 2-factor-auth. Then you write "My initial thoughts were to use Bitlocker USB start up keys and pins, but user A can start a laptop with their key and pin, then pass the device over to user B for login, so that's a no-no." - which suggests that you fear that users pass their credentials/keys to other non-authorized users. Why would they do that? And even if you found an authentication method to stop that, how would you ensure that he does not share important data with that unauthorized person if, in the first place, he is of the kind that shares all his credentials and keys?

So technically, to have a second logon factor apart from your password can be done using bitlocker, yes. Encrypt that machine, use a startup PIN. No unauthorized user can start the machine, no user can logon impersonating another user that way, so why isn't that enough? Please clarify. That all users would need to use the same PIN does no harm to security at all.